STATUTORY INSTRUMENTS 2012 No. _ THE ELECTRONIC SIGNATURES REGULATIONS 2012 ARRANGEMENT OF REGULATIONS Regulation PART I-PRELIMINARY 1. Title. 2. Interpretation PART II - LICENSING AND RECOGNITION OF CERTIFICATION SERVICE PROVIDERS Requirements for certification service providers 3. Qualifications to provide certification services 4. Technical and operational requirements Application for certification service provider licence and recognition of repository providers 5. Application to provide certification services, repository or stamp services 6. Recognition of foreign certification service providers 7. Grant or refusal of licence or recognition 8. Application for exemption from licence, recognition or registration PART II- GENERAL PROVISION RELATING TO LICENCES AND RECOGNITION 9. Duration of licence, registration or recognition 10. Transfer of licence. 11. Agents of a licensee, registered or recognized provider. 12. Renewal of a licence, registration or recognition. 13. Suspension and revocation of licence, registration or recognition.
14. Surrendering a licence, registration or recognition PART IV- CERTIFICATION SERVICE PROVIDERS 15. Particulars of certification service provider disclosure records 16. Requirement to provide information for disclosure records 17. Retention of certification service provider disclosure records PART V - REQUIREMENTS FOR ISSUING CERTIFICATES TO SUBSCRIBERS 18. Types of certificates 19. Issuing certificates to subscribers 20. Suspension or revocation of certificate 21. Order by Controller to suspend or revoke certificate 22. Privacy and protection of subscriber s information PART VI - CERTIFICATION PRACTICE STATEMENTS 23. Preparation and publication of certification practice statements 24. Form of certification practice statement 25. Contents of a certification practice statement PART VII- REPOSITORIES 26. Responsibilities of providers of repository services 27. Archive of suspended or revoked certificates PART VIII- DATE AND TIME STAMP SERVICES 28. Operations of date and time stamp service provider PART IX RECORDS KEEPING BY CERTIFICATION SERVICE, REPOSITORY AND DATE AND TIME STAMP PROVIDERS 29. Records to be kept by certification, repository, and date and time service providers PART X- COMPLIANCE AUDITS 30. Registration of auditors 31. Qualifications for compliance auditors 32. Revocation of registration of auditor
33. Auditing of certification, repository and date and time stamp providers PART XI COMPLAINTS AND DISPUTES 34. Internal complaints procedures of providers 35. Records of complaints 36. Complaints to Controller 37. Resolution of complaints by Controller 38. Complaints between service providers PART XII- GENERAL PROVISIONS 39. Appeals 40. Submission of information 41. Fees SCHEDULES
THE ELECTRONIC SIGNATURES REGULATIONS 2012 (Under section 97 of the Electronic Signatures Act, 2011, Act No.7 of 2011) IN EXERCISE of the powers conferred upon the Minister responsible for information and communication technology by section 97 of the Electronic Signatures Act, 2011, and on the recommendation of the National Information Technology Authority, these Regulations are made, this day of 2012. PART I-PRELIMINARY 1. Title. These Regulations may be cited as the Electronic Signatures Regulations, 2012. 2. Interpretation In these Regulations, unless the context otherwise requires Act means the Electronic Signatures Act, 2011. PART II - LICENSING AND RECOGNITION OF CERTIFICATION SERVICE PROVIDERS Requirements for certification service providers 3. Qualifications to provide certification services (1) The Controller shall not licence a person as a certification service provider unless that person meets the qualifications specified in sub regulation (2) (2) Every person certification services provide shall - (a) have adequate expertise or experience to operate as a certification service provider;
(b) utilize a secure and reliable system in providing certification services; (c) have adequate measures in place to ensure all employees are fit and proper to carry out the duties assigned to them; (d) comply with the operational and technical requirements specified in regulation 4; (e) have adequate policies relating to information security and privacy, physical security, and disaster recovery; (f) provide evidence of access to adequate working capital to enable it to operate as a certification service provider; and (g) has adequate insurance cover, including liability cover for subscribers and persons relying on certificates issued. 4. Technical and operational requirements (1) A certification service provider shall have the following technical components- (a) at the generation of key pairs, technical components that ascertain that (i) any given key can only occur once; (ii) a private key cannot be derived from the corresponding public key; (iii) keys cannot be duplicated; (b) during the generation and storage of key pairs, and the verification of digital signatures, technical components that have security features which (i) allow the use of the private key only after identification of the user through a personal identification number or other data used for identification in conjunction with the data storage medium for the private key of the user; (ii) do not disclose the private key during its use; (iii) function in a manner that prevents the private key from being derived from the digital signature; and
(iv) make forgery of digital signatures and falsification of signed data reliably noticeable and protect against the unauthorised use of the private key; (c) for the purpose of collecting identification data, technical components that function in a manner that (i) does not reveal the identification data; and (ii) ensures that the identification data is stored only on the data storage medium with the private key; (d) for the representation of data to which a signature is to be applied or associated, technical components that have security features which (i) show unmistakably and in advance the creation of a digital signature; and (ii) allow a determination of the data to which the digital signature refers; (e) for the purposes of checking signed data, technical components that have security features which allow the determination of (i) whether the signed data are unchanged; (ii) which date the digital signature refers; and (iii) which private key owner the digital signature is to be attributed; (f) in the case of verifying certificates, technical components that allow clear and reliable determination of whether verified certificates were present, without having been invalidated, in the published with a recognized repository; (g) in the case of a record maintained for the purposes of disclosure to the certification authority or any other record maintained in a verifiable or accessible manner under the Act or these Regulations, technical components that protect (i) the data storage mediums in which the records are stored; and (ii) the repositories in which the records are published, from unauthorized access and unauthorized modification; (h) for the generation of time-stamps, technical components that function in
such a manner that the valid official time, without distortion is added to the time-stamp when it is generated. (2) The technical components referred to in sub-regulation 1 shall be sufficiently examined and verified by the Controller. (3) The Controller may require a demonstration that the requirements referred to in sub-regulation (1) have been fulfilled. (4) Any security-relevant changes in technical components shall be apparent to the user. (5) The technical components used for the purposes of the Act and these Regulations shall be protected from unauthorized access and unauthorized modification. Application for certification service provider licence and recognition of repository providers 5. Application to provide certification services, repository or stamp services (1) A person intending to provide certification services, a repository or date and time stamp services shall apply to the Controller for a license or recognition in accordance with these Regulations. (2) The application shall be in Form 1 in Schedule 1 and shall - (a) state the name and address of the applicant, and in the case of an individual, an identification number of that person, and if a juristic person, the registration number of that person; (b) state the name and address of the contact person if different from the applicant; (c) in the case of a juristic person, (i) the details of all shareholders or other ownership interests in the applicant, including the identity and nationality of holders of ownership interests and if the holders of ownership interests are juristic persons, full details of their ownership interests;
(ii) the nationalities of the members of the board of directors or other governing body; (d) include a statement of expertise and experience of the applicant, including the identification of, job descriptions and curriculum vitae of management and other key personnel as well as the agents; (e) include a declaration that the applicant employs operative personnel who have not been convicted of an offence in Uganda or any other country involving fraud, a false statement, deception or any felony; (f) include a description of the proposed services to be provided, which may include issuing certificates only or issuing certificates and ancillary services, such as repository services or date or time stamp services, as well as detailed operating procedures for the proposed services; (g) include a description of the technical specifications of hardware and software systems, including a description and location of facilities, and indicate any standards that the systems or facilities comply with; (h) include policies for information security, privacy, physical security, and disaster recovery; (i) include a statement setting out the proposed costs and financing; (j) provide proof of adequate insurance cover; (k) include a report from a qualified auditor certifying that the prescribed licensing and qualification requirements set out in the Act and these regulations have been satisfied; and (l) include any other information the applicant believes might be relevant to the Controller in considering the application. (3) Every application shall be accompanied by the fees specified in Schedule 2. (4) The Controller may request further information or documentation, which shall be provided by the applicant to the Controller in the time and the manner set out by the Controller.
6. Recognition of foreign certification service providers (1) The Controller may recognize a foreign certification service provider for the purposes of providing certification services under the Act. (2) An application for recognition under sub regulation (1) shall be made to the Controller in Form 1 in Schedule 1 and shall, in addition to the matters required under regulation 5, - (a) state the name and address of the agent in Uganda; (b) include a copy of the licence or other authorization issued in country where the provider is registered as a certification service provider (c) include a report from a qualified auditor certifying that the applicants operations comply with the operational and technical standards and requirements set out in the Act and these Regulations; and (d) include any other information the applicant believes might be relevant to the Controller in considering the application. (3) The application shall be accompanied by the prescribed fees. (4) The Controller may request for further information, which shall be provided by the applicant in the time and the manner specified by the Controller. 7. Grant or refusal of licence or recognition (1) Within thirty days after receipt of an application under these Regulations, the Controller may grant a licence or recognition under the Act; reject the application, giving reasons for the refusal or rejection. (2) Every licence shall specify the services to be provided by the person and may be issued subject to conditions specified in the licence. (3) A licence or recognition shall be in Form 2 or 3 respectively in Schedule 1. (4) Where the Controller refuses to grant a licence or rejects the application for a licence, the Controller shall give reasons to the applicant in writing within the time specified in sub regulation (1)
8. Application for exemption from licence, recognition or registration (1) An application under section 22(3) by an organisation for exemption from the requirements of a licence, registration or recognition shall be in Form 4 in Schedule 1. (2) The application shall specify the description of the nature of the organization and how the services for which the exemption is required shall be provided to the members of the organisation. PART II- GENERAL PROVISION RELATING TO LICENCES AND RECOGNITION 9. Duration of licence, registration or recognition Every licence, registration, certificate or recognition granted or issued under these regulations shall be valid for two years from the date of issue. 10. Transfer of licence. (1) A licence or recognition issued by the Controller shall not be transferred without the written consent of the Controller. (2) A licensee or recognized certification service provider may apply to the Controller in Form 4 in Schedule 1 for consent to transfer a licence. (3) An application under sub regulation (2) shall be accompanied by an application for grant of a licence or recognition by the person to whom the licensee or recognized service provider intends to transfer the licence or recognition. (4) The Controller shall, when considering an application for the transfer of a licence, take into account the requirements and qualifications that apply to the grant of a licence. (5) For the purposes of this regulation a change in name without a transfer of control does not require the consent of the Controller. (6) A person licensed or recognized under these Regulations shall within fourteen days after any change in name under sub regulation (5) notify the
Controller of the change. 11. Agents of a licensee, registered or recognized provider. (1) A licensee, registered or recognized provider may use an agent to deliver the certification, repository or date and time services in accordance with the obligations of the licence, registration or recognition. (2) Every agent appointed under sub regulation (1) shall comply with the Act and these Regulations. (3) The agent shall have the same liability as the person appointing them in respect of the services provided under the Act or these Regulations. 12. Renewal of a licence, registration or recognition. (1) An application for the renewal of a licence, registration or recognition shall be made at least two months before the expiration of the licence, registration or recognition. (2) Before renewing a licence, registration or recognition the Controller shall take into account the performance of the operator during the duration of the licence, registration or recognition. (3) Every application for renewal of a licence or recognition of a certification service provider shall be accompanied with a certification practice statement and a report of an auditor certifying the compliance of the provider with the Act and these Regulations. 13. Suspension and revocation of licence, registration or recognition. (1) The Controller may suspend or revoke a licence, registration or recognition issued under this Act, on the grounds specified in section 27 of the Act. (2) The Controller shall notify the provider in Form 5 in Schedule 1 specifying the reasons for the intended suspension or revocation, during which the operator may make representations to the Controller. (3) After consideration of any representations by the provider, the Controller may prescribe time during which the provider is required to remedy the
offending act or conduct. (4) Where the Controller is satisfied that the measures under subsection (3) are not sufficient, the Controller may (a) suspend the licence, registration or recognition for a specified period; or (b) revoke the licence, registration or recognition. 14. Surrendering a licence, registration or recognition (1) A licensee or recognized certification service provider, repository provider or date and time stamp service provider may discontinue providing services and surrender the licence, registration or recognition - (a) in the case of a certification service provider, after notifying subscribers listed in valid certificates issued by the certification service provider; (b) in the case of provider of repository services, after notifying certification service providers for which any certificates have been published; after making arrangements for the secure preservation of the records of the provider; in a manner that will cause minimal disruption to the subscribers of valid certificates and to relying parties. (2) A certification service provider, repository or date and time stamp provider shall surrender the licence, registration or recognition under sub regulation (1) after the Controller is satisfied that the conditions specified in this regulation have been complied with. (3) The notifications referred to in sub regulation (1) shall be in the form specified in Schedule 1. PART IV- CERTIFICATION SERVICE PROVIDERS 15. Particulars of certification service provider disclosure records (1) For the purposes of section 21(3) of the Act the disclosure records of every licensed or recognized certification service provider shall contain - (a) a statement that the certification service provider disclosure record
is provided and maintained by the Controller; (b) the full name of the certification service provider and any other names under which the service provider does business; (c) the address of the certification service provider - (d) the licence or recognition certificate number, the date of issue and of expiry; (e) a list and description of services that the certification service provider is licensed or recognized to provide; (f) the conditions or restrictions imposed on the licence or recognition; (g) any unreasonable risk statements published in terms of section 80 of the Act; (h) if the licence or recognition has been revoked, the effective date of the revocation; (i) if the licence or recognition has been surrendered, the effective date of the surrender; (j) if the licensed or recognized certification service provider has no intention of renewing its licence or recognition, a statement to that effect; (k) the current public key or keys of the certification service provider by which its digital signatures on published certificates may be verified; (l) a statement indicating the location of the certification service provider's certification practice statement and the means by which it may be obtained; (m) the dates and results of all compliance audits; (n) the repository or repositories used by the certification service provider; (o) if a certificate containing the public key required to verify one or more certificates issued by the certification service provider has been revoked or is currently suspended, the date and time of its revocation or suspension;
(p) any other particulars relating to the certification service provider the certification service provider or Controller deems appropriate. (2) The Controller will review certification service provider disclosure records on a regular basis to ensure that all required information is included in the certification service provider disclosure records. (3) Where a certification service provider believes that any of the information contained in the database maintained by the Controller is false or misleading, the provider shall immediately notify the Controller specifying the information and the reasons why it should be changed. 16. Requirement to provide information for disclosure records Every licensed or recognized certification service provider shall within two days after grant of the licence or recognition provide to the Controller all the information required by these Regulations to be maintained by the Controller. 17. Retention of certification service provider disclosure records A repository shall retain the certification service provider disclosure records for ten years. PART V - REQUIREMENTS FOR ISSUING CERTIFICATES TO SUBSCRIBERS 18. Types of certificates (1) Subject to any conditions imposed by the licence or recognition, a certification service provider may issue certificates to subscribers with different levels of assurance. (2) The certification service provider shall set out distinct provisions in its certification practice statement for approval by the Controller for each type of certificate to be issued. (3) The certification service provider shall bring to the attention of subscribers and relying parties, the effect of using and relying on different types of certificates. 19. Issuing certificates to subscribers
(1) A licensed or recognized certification service provider shall specify in the certification practice statements, the subscriber identity verification method employed for issuing certificates. (2) In addition to the requirements specified in the Act and these Regulations, a certification service provider shall comply with the provisions set out in its certification practice statement for issuing certificates. (3) The certification practice statement of a certification service provider may contain conditions with standards higher than the conditions specified in the Act or these Regulations. (4) The certification service provider shall provide a reasonable opportunity for the subscriber to verify the contents of the certificate before it is accepted. (5) Subject to any agreement to the contrary by the certification service provider and the subscriber, where a subscriber accepts a certificate, the certification service provider shall publish a signed copy of the certificate. (6) Every certificate shall state the date on which it expires. (7) A certificate issued to a subscriber under this regulation may be renewed at the request of the subscriber. 20. Suspension or revocation of certificate (1) A certification service provider shall suspend or revoke a certificate (a) on the request of the subscriber; (b) where the certification service provider is satisfied that the certificate is unreliable; (c) where the certificate was issued without complying with the Act or these Regulations. (2) Upon receiving a request for suspension or revocation of a certificate by a subscriber, the certification service provider shall suspend the certificate and publish a notice of the suspension or revocation. (3) Upon receiving a request for suspension or revocation of a certificate by a
person other than the subscriber, the certification service provider or the Controller if the certification service provider is not available, shall, after verifying the identity of the person requesting for the suspension and satisfying itself that the certificate is unreliable, suspend the certificate and investigate. (3) The certification service provider shall complete the investigation into the reliability of the certificate and decide within forty-eight hours whether to reinstate the certificate or to revoke the certificate. (4) A certification service provider shall give notice to the subscriber immediately upon the revocation of a certificate. (5) A certification service provider shall maintain facilities to receive and act upon requests for suspension and revocation at all times of the day and on all days of every year. 21. Order by Controller to suspend or revoke certificate (1) Where the Controller believes that there are reasonable grounds to suspend or revoke a certificate, the Controller shall immediately notify the certification service provider and the subscriber, inviting them to show cause within twenty four hours why the certificate should not be suspended or revoked. (2) If the certification service provider and the subscriber fail to show cause why the certificate should not be suspended or revoked within the time specified in sub regulation (1), the Controller shall order the provider to revoke the certificate. 22. Privacy and protection of subscriber s information (1) Every certification service provider or agent shall keep all subscriber-specific information confidential. (2) Sub-regulation (1) does not apply to (a) any disclosure of subscriber-specific information made (i) with the permission of the subscriber; or (iv) in compliance with an order of court or the requirement of any
law; or (b) any subscriber-specific information which (i) is contained in the certificate, or is otherwise provided by the subscriber to the certification service provider, for public disclosure; or (ii) relates to the fact that the certificate has been suspended or revoked. PART VI - CERTIFICATION PRACTICE STATEMENTS 23. Preparation and publication of certification practice statements (1) Every certification service provider shall prepare and publish on their website a certification practice statement in accordance with the Act and these regulations. (2) A certification service provider shall notify the Controller and publish on their website any proposed amendments to certification practice statements, along with a statement of reasons for the proposed amendments, at least thirty days before the effective date of any amendments. (3) The Controller may notify the certification provider to remove from the practice statement any provision which is not consistent with the Act or these Regulations, or which in the opinion of the Controller is unreasonable, including fees and charges. (4) A certification service provider shall maintain on their website each version of the certification practice statement, together with the dates when they became effective. 24. Form of certification practice statement A certification practice statement shall be in a form that - (a) ensures that the information conveyed clearly demonstrate the use of trustworthy systems; (b) is clear, complete and concise; (c) conforms to any form requirements specified by the Controller.
25. Contents of a certification practice statement (1) Every certification practice statement shall include (a) a statement of the purpose and effect of the certification practice statement; (b) a statement advising the potential subscribers of the rights, duties and liabilities of the certification service provider, the subscriber and a person relying on a certificate; (c) a statement of the conditions or restrictions on the certification service provider's licence or recognition; (d) a list and description of the services provided and the fees and charges relating to those services; (e) complete, accurate and clear operating procedures, including procedures for applying, issuing, suspension and revocation of certificates; (f) a statement with regard to the different classes of certificates available and advising potential subscribers that the subscriber shall decide which class of certificate is right for the subscriber's needs; (g) a statement regarding the determination of the recommended reliance limits for certificates, advising potential subscribers that the subscriber shall decide the amount of the recommended reliance limit that is right for the subscriber's needs; (h) procedures for complaints and claims against the certification service provider; (i) a statement regarding the protection and use of data obtained from the subscribers; (j) a statement advising the potential subscribers in respect of the generation of key pairs, the need to keep the private key secure from compromise and in a trustworthy manner; (k) a statement advising potential subscribers that before communicating any certificate to another person, or otherwise inducing their use or reliance on it, the
subscriber shall accept the certificate, upon which, certain representations shall be implied on the subscriber; (l) a statement advising potential subscribers to immediately notify the certification service provider when the subscriber s private key is compromised; (m) a statement advising potential subscribers that data with digital signatures may need to be re-signed when the security value of an available digital signature decreases; (2) A certification service provider who contravenes sub regulation (1) commits an offence and is liable on conviction to a fine not exceeding seventy currency points or imprisonment not exceeding three years or both. PART VII- REPOSITORIES 26. Responsibilities of providers of repository services (1) Every repository provider shall establish and maintain a publicly accessible database for the purposes of - (a) publishing the information required to be published under the Act and these Regulations; (b) publishing the additional information required by the Controller; (c) publishing the additional information a licensed or recognized certification service provider may require; and (d) publishing any other necessary or appropriate information for the purposes of the Act or these Regulations. (2) A repository provider shall ensure that the publicly accessible database is maintained in a manner that does not contain information which the provider knows to be incorrect or is likely to be incorrect, inaccurate or not reasonably reliable. (3) A repository provider shall publish all information received and required to be published as soon as practicable, but not later than twenty four hours after receipt of the information.
(4) Where the repository provider is unable to comply with sub regulation (3), the provider shall upon receipt of the information immediately notify the person providing or requiring the publication of the information and the Controller in Form 6 in Schedule 1. (5) A repository provider who contravenes this regulation commits an offence and is liable on conviction to a fine not exceeding seventy two currency points or imprisonment not exceeding three years or both. 27. Archive of suspended or revoked certificates A repository provider shall maintain for ten years, an archive of certificates that have been suspended or revoked. PART VIII- DATE AND TIME STAMP SERVICES 28. Operations of date and time stamp service provider (1) A date and time stamp service provider shall upon receipt of a document for date and time-stamping, immediately stamp the date and time on the document and digitally sign the date and time-stamp. (2) The date and time-stamped on the document shall be the date and time on which the document is received. (3) A date and time stamp service provider shall at the end of each business day publish, in at least one recognized repository, all documents date and timestamped by the provider that day. (4) For the purpose of sub regulation (3), only the hash result shall be published. (5) Where a date and time stamp service provider is unable to comply with sub regulation (3), the provider shall immediately notify the person requesting for the date and time stamp and the Controller in Form 6 in Schedule 1. (6) A date and time stamp services provider who contravenes this regulation commits an offence and is liable on conviction to a fine not exceeding seventy two currency points or imprisonment not exceeding three years or both.
PART IX RECORDS KEEPING BY CERTIFICATION SERVICE, REPOSITORY AND DATE AND TIME STAMP PROVIDERS 29. Records to be kept by certification, repository, and date and time service providers (1) Every certification service provider, repository provider and date and time stamp service provider shall keep the following records for seven years - (a) all applications for issuing certificates to subscribers; (b) documents relating to the verification of certificates generated; (c) information relating to expired, suspended or revoked certificates; (d) reliable records and logs for activities that are core to the provider's operations, including certificate management, key generation and administration of computing facilities. (2) All certificates shall be kept in a manner that - (a) a person who is not authorized cannot make changes to the certificates; (b) makes it possible to verify that the information is correct; and (c) the certificate is available to the public only where the subscriber expressly permits. (3) A certification service provider, repository provider or date and time stamp service provider shall maintain (a) the database of records in a manner that allows subscribers and relying parties to readily access those records; (b) all records in a manner that guarantees the security, integrity and accessibility of the records and allows for retrieval and inspection of the information by the Controller. (4) A certification service provider, repository provider or a date and time stamp service provider may re-signed a record or information required to be kept under this regulation to protect the integrity of the record or information in the event of
technological advances that impact on the reliance of the original record. PART X- COMPLIANCE AUDITS 30. Registration of auditors (1) A person shall not audit a certification service provider, repository provider or a date and time stamp provider for compliance with the Act or these Regulations unless that person is qualified to be an auditor and is registered with the Controller. (2) An application to register as a compliance auditor shall be made to the Controller in Form 7 in Schedule 1 and shall (a) set out the name of the applicant, and in the case of (i) an individual, the identification number of that person; (ii) a juristic person, the registration number of that person; (b) set out the name and address of the contact person if different from the applicant; (c) describe the expertise and experience of the applicant, including any qualifications and international recognition as a security professional or certification as a public accountant; (d) include a statement demonstrating adequate knowledge of digital signature technology practices; include a statement demonstrating complete knowledge of the requirements of the Act and these Regulations; (f) include any other information relevant to the Controller in considering the application. (3) The Controller may request further information, which shall be provided by the applicant as specified by the Controller. (4) The Controller shall within thirty days after receipt of the application under this regulation register or reject the applicant. (5) Where the Controller rejects an application for registration as a compliance
auditor, the Controller shall within the time specified in sub regulation (4) notify the applicant giving reasons for the rejection. 31. Qualifications for compliance auditors For a person to qualify to conduct compliance audits under the Act or these Regulations, that person shall - (a) have evidence of international recognition as a security professional or certification as a public accountant; (b) be familiar with digital signature technology and practices; and (c) be knowledgeable about the requirements of the Act, these Regulations and any other law relating to electronic transactions. 32. Revocation of registration of auditor (1) The Controller may revoke the registration of a compliance auditor where (a) the international recognition or certification in respect of that auditor is withdrawn, suspended, cancelled or revoked; (b) the auditor contravenes the Act or these Regulations. (1) Before revoking the registration under this regulation, the Controller shall give notice requiring the auditor to show cause, within fourteen days, why the registration should not be revoked. 33. Auditing of certification, repository and date and time stamp providers (1) Every certification service provider, repository and date and time stamp service provider shall engage a registered auditor at least once a year to conduct an annual audit for compliance with the Act and these Regulations. (2) The audit under sub regulation (1) shall be conducted at least one hundred and eighty days before the expiry of the licence, registration or recognition of the provider. (3) The Controller may also engage an auditor to conduct audits on a licensed or recognized certification service provider, repository or date and time stamp provider, with or without notice to the relevant service provider.
(4) Every licensed, registered or recognized certification service provider, repository or date and time service provider shall make available any information, document or personnel required by the auditor. (5) The auditor shall determine and indicate in the audit report whether the certification service provider is in full compliance, partial compliance or noncompliance with the Act and these Regulations. (6) For the purposes of sub regulation (5) compliance shall be determined as follows - (a) full compliance shall be indicated where the service provider complies with all the requirements of the Act and these Regulations; (b) partial compliance shall be indicated where the service provider complies with some of the requirements of the Act and these Regulations but not all the requirements. (c) non-compliance shall be indicated where the relevant service provider complies with a few or none of the requirements of the Act or these Regulations, fails to keep adequate records to demonstrate compliance, or refuses to submit to an audit. (7) Where the relevant service provider complies with some or a few of the requirements, the auditor shall indicate the provisions or requirements with which the service provider complies and those that have not been complied with. (8) The auditor shall within sixty days after being engaged, submit a report of the audit to the service provider with a copy to the Controller. (9) Every audit report shall contain (a) the date of the audit; (b) a list of the information and documents examined and personnel interviewed; (c) the results of the audit; and (e) any other relevant information.
PART XI COMPLAINTS AND DISPUTES 34. Internal complaints procedures of providers (1) Every certification service provider, repository provider or date and time stamp service provider shall establish clear and simple internal procedures for the resolution of complaints by the service provider. (2) Every complaint submitted to the certification, repository or date and time service provider deal with every complaint within fourteen days after receipt of the complaint. (3) A certification service provider, repository provider or date and time stamp service provider shall notify any person who (a) submits a complaint to the provider that the person may submit a complaint to the Controller; (b) is not satisfied with the way a certification, repository or date and time service provider has dealt with a complaint, that they may submit a complaint to the Controller. (4) A certification service provider, repository provider or a date and time stamp provider shall refer to the Controller any complaint which cannot be resolved within the time specified in this regulation or which in the opinion of the provider cannot be addressed by the provider. 35. Records of complaints A certification service provider, repository provider or date and time stamp service provider shall maintain records of all internal complaints and complaints referred to the Controller and shall make a report on the complaints every three months. 36. Complaints to Controller (1) Any person may submit a complaint to the Controller against a certification service provider, repository provider or date and time stamp service provider. (2) Every complaint shall be in writing and shall contain -
(a) the name and contact details of the complainant and the name and contact details of the person submitting the complaint, if different from the complainant; (b) the name and address of the person service provider against whom the complaint is made; (c) a concise statement of the complaint or allegation of non-compliance with the Act, these Regulations, or a licence or recognition; (d) a complete and accurate statement of the facts illustrating the complaint; (e) where applicable, a clear and concise statement of the specific relief or remedy sought; and (f) any other relevant information. 37. Resolution of complaints by Controller (1) Upon receiving a complaint, the Controller, shall unless the complaint is frivolous, issue a reference number to the complainant and provide a copy of the complaint to the service provider against whom the complaint is made. (2) The service provider against whom the complaint is made shall, within five days respond in writing to the Controller. (3) The Controller may request additional information from the complainant or the respondent. (4) The Controller shall within thirty days after receipt of the response of the service provider - (a) informally mediate the dispute between the parties; (b) further investigate the complaint; (c) conduct a formal hearing of both parties to the complaint; (d) dismiss the complaint, wholly or partly; (e) grant the relief sought in the Complaint, either wholly or partly; (f) order the service provider to take appropriate action to remedy to
deal with the complaint; (g) take any other action or decision, as may be appropriate in the circumstances. 38. Complaints between service providers Where a complaint is made by a certification service provider, repository provider or a date and time stamp provider against another service provider, and the Controller considers it necessary or appropriate, the Controller may convene a meeting of the concerned service providers to resolve the complaint. PART XII- GENERAL PROVISIONS 39. Appeals (1) A person aggrieved by a decision of the Controller under these Regulations may appeal to the Minister. (2) The appeal shall be submitted in writing, with a copy provided to the Controller, within thirty days of the notice of the decision. 40. Submission of information Information or a document required to be submitted to the Controller or the Minister may be submitted physically or electronically - (a) by hand to the head offices of the Controller or the Minister; (b) by post to the head offices of the Controller or the Minister; (c) by electronic mail to the address of the Controller or the Minister; (d) by facsimile to number of the Controller or the Minister; or (e) in any other manner or at alternative addresses or numbers specified by the Controller or the Minister. 41. Fees (1) The fees specified in Schedule 2 shall be paid in respect of the services or activities to which they relate. (2) All application and licence fees shall be paid by way of electronic transfer or direct deposit into the Controller's bank account.
(3) The prescribed application fee shall be paid on or before the day an application is submitted to the Controller, and prescribed licence fee shall be paid before the licence is issued.. (4) All the fees prescribed in Schedule 2 are not refundable.
SCHEDULES SCHEDULE 1 Form 1 Regulations 5(2),6(2) THE REPUBLIC OF UGANDA THE ELECTRONIC SIGNATURES REGULATIONS, 2012 Application for a licence to provide certification service* repository* or date and time stamp service* To: The Controller, 1. Particulars of applicant: (a) Name: (b) Physical address:.. (c) Postal address:. (d) Telephone (fixed line): (e) Mobile phone: (f) Fax: (g) E-mail address:.. (h) Identification number (in case of an individual):.. (i) Name of contact person(where different from applicant):.
2. Legal status of applicant: Indicate legal status of applicant (Attach certificate of incorporation, memorandum and articles of association where applicable) 3. Particulars of directors: Name Address Nationality Country of usual residence (a) (b) 4. Technical capacity and experience of applicant. Provide detailed statement of applicant's technical competence and experience in the certification service*repository* or date and time stamp service*. (a)please, give the name of the staff employed by the applicant and their job description (attach a separate sheet) (b) Please indicate the academic qualifications of each member of staff and their curriculum vitae.. (c)a declaration that non of the staff members have been convicted of any felony or an offence involving fraud, false statement or deception 5. Description of the proposed service to be provided and a detailed operating procedure.... 6. Description of the Technical specifications of the hardware and software systems and the standards that the systems comply with....
7. Description and location of facilities...... 8. Policies for security, privacy of information and disaster recovery.... 9. Statement of the proposed costs and financing..... 10. Name of the applicant s insurers and proof of insurance... 11. Attach auditor s report certifying compliance with the requirements set out in the Act and these Regulations.12. Declaration by the applicant: I declare that the details stated above are, to the best of my knowledge, true and correct.13. Authorised signature and seal of applicant Name Signature.. Seal Dated this.day of..20 *delete whichever is not applicable.
Form 2 Regulation 7(3) THE REPUBLIC OF UGANDA THE ELECTRONIC SIGNATURES REGULATIONS, 2012 LICENCE TO PROVIDE CERTIFICATION SERVICE No. (name) of..(address) is licenced to provide certification services in accordance with the Electronic Signatures Act, 2011. This licence is subject to the following conditions... This licence is valid for twenty four months from date of issue. Dated this day of, 20 Controller
Form 3 Regulation 7(3) THE REPUBLIC OF UGANDA THE ELECTRONIC SIGNATURES REGULATIONS, 2012 RECOGNITION OF REPOSITORY* OR DATE AND TIME STAMP PROVIDER* No. (name) of..(address) is recognized as repository* or date and time stamp provider* in accordance with the Electronic Signatures Act, 2011. The recognition is valid for twenty four months from date of issue. Dated this day of, 20 Controller *Delete whichever is not applicable
Form 4 Regulation 8(1) THE REPUBLIC OF UGANDA THE ELECTRONIC SIGNATURES REGULATIONS, 2012 APPLICATION FOR EXCEMPTION FROM LICENCE To the Minister 1. Particulars of applicant: (a) Name: (b) Physical address:.. (c) Postal address:. (d) Telephone (fixed line): (e) Mobile phone: (f) Fax: (g) E-mail address:.. 2. Legal status of applicant: Indicate legal status of applicant (Attach certificate of incorporation, memorandum and articles of association where applicable) 3. Particulars of directors: Name Address Nationality Country of usual residence (a)
(b) (c) (d) 4. Describe the nature of the organization...... 5. Reasons why the organization is applying for the exemption..... 6. Describe how the services the subject of the application will be provided to the members of the organisation.... 7. State the policies for security, privacy of information and disaster recovery. 8. Authorised signature and seal of applicant Name Signature.. SEAL Dated this.day of..20
Form 5 Regulation 10(2) ELECTRONICL SIGNATURES REGULATIONS 2012 APPLICATION FOR CONSENT TO TRANSFER LICENCE The Controller Name.of (address) holder of licence No.dated.. apply for consent to transfer the licence to of..(address of proposed transferee) Dated this..day of 20.... Applicant
Form 6 Regulation 13(2) THE REPUBLIC OF UGANDA THE ELECTRONIC SIGNATURES REGULATIONS, 2012 NOTICE To....(name of licensee or recognition certificate holder) of. (address). Take notice that the Controller intends to suspend* or revoke* your licence No...dated..on the following grounds- You are required to show cause why your licence should not be suspended* or revoked within thirty days from the date of receipt of this notice. Dated this..day of..20. Controller.
Form 7 ELECTRONIC SIGNATURES REGULATIONS 2012 NOTICE OF INABILITY TO PUBLISH Regulations 26(4),28(5) To: (1) (Name of person providing the information) (2) Controller. Take notice that we are unable to publish the information provided* or requested* or the documents date and time stamped* in the repository within twenty four hours due to the following.... Dated this day of.,20... Repository provider*/date and time stamp provider* *delete whichever is not applicable
Form 8 Regulation 30(2) ELECTRONIC SIGNATURES REGULATIONS 2012 APPLICATION TO REGISTER AS COMPLIANCE AUDITOR 1. (a) Name of applicant.. (b) Address 2. Legal status of applicant. (Attach a certificate of registration where applicable). 3. Qualification and experience (attach a curriculum vitae) 4. Describe your knowledge of digital signature technology practices 5. Statement of knowledge of the requirements of the Act and Regulations..
Dated this..day of.2012.. Applicant.
SCHEDULE 2 Reg. 41 FEES Item 1. Application for a licence as certification service provider 2.Application for recognition of foreign certification 3.Transfer licence Amount (Shs) 22,000,000/= 25,000,000/= 25,000,000/= 4.Renewal of licence 22,000,000/= 5.Recognition of repository/date and time stamp provider 22,500,000/= 6.Registration of compliance auditor 15,000,000/=
RUHAKANA RUGUNDA (DR.) Minister of Information and Communications Technology